diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/cups-CVE-2020-10001.patch | 47 |
2 files changed, 0 insertions, 48 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 65f35a155c..cbc835aa85 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -934,7 +934,6 @@ dist_patch_DATA = \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ - %D%/packages/patches/cups-CVE-2020-10001.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curl-7.77-tls-priority-string.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ diff --git a/gnu/packages/patches/cups-CVE-2020-10001.patch b/gnu/packages/patches/cups-CVE-2020-10001.patch deleted file mode 100644 index 1b16c7d97c..0000000000 --- a/gnu/packages/patches/cups-CVE-2020-10001.patch +++ /dev/null @@ -1,47 +0,0 @@ -From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 -From: Michael R Sweet <msweet@msweet.org> -Date: Mon, 1 Feb 2021 15:02:32 -0500 -Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) - ---- - -diff --git a/cups/ipp.c b/cups/ipp.c -index 3d529346c..adbb26fba 100644 ---- a/cups/ipp.c -+++ b/cups/ipp.c -@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ - unsigned char *buffer, /* Data buffer */ - string[IPP_MAX_TEXT], - /* Small string buffer */ -- *bufptr; /* Pointer into buffer */ -+ *bufptr, /* Pointer into buffer */ -+ *bufend; /* End of buffer */ - ipp_attribute_t *attr; /* Current attribute */ - ipp_tag_t tag; /* Current tag */ - ipp_tag_t value_tag; /* Current value tag */ -@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ - } - - bufptr = buffer; -+ bufend = buffer + n; - - /* - * text-with-language and name-with-language are composite -@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ - - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) -+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP language length overflows value."), 1); -@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ - bufptr += 2 + n; - n = (bufptr[0] << 8) | bufptr[1]; - -- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) -+ if ((bufptr + 2 + n) > bufend) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, - _("IPP string length overflows value."), 1); |